In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Tuesday, July 15, 2008

The Neosploit Malware Kit Updated with Snapshot ActiveX Exploit

Raising Symantec's ThreatCon based on a newly introduced exploit within a (random) copy of a popular web malware exploitation kit? Now that's interesting given that there are other modified versions of the publicly available malware kit empowered with exploits as they get released, the single most logical move a administrator of such kit would do is diversity the exploits set as often as possible, keeping it up to date - like they do. ThreatCon is raised already :

"Symantec honeypots have captured further exploitation of the Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability (BID 30114). Before this event, this exploit was known to be used only in isolated attacks. Further analysis of these honeypot compromises has revealed that the exploit has been added to a variant of the neosploit exploit kit, it will very likely reach a larger number of victims. This version will compromise vulnerable English versions of Microsoft Windows by downloading a malicious application into the Windows Startup folder. Computers that have Microsoft Access installed are potentially affected by this vulnerability. Customers are advised to manually set the kill bit on the following CLSIDs until a vendor update is available: F0E42D50-368C-11D0-AD81-00A0C90DC8D9 F0E42D60-368C-11D0-AD81-00A0C90DC8D9 F2175210-368C-11D0-AD81-00A0C90DC8D9"

Why based on a random copy of the kit? Well, the Neosploit malware kit itself is a commodity despite it's publicly announced varying price in the thousands, it leaked for public use just like MPack and Icepack did originally, making statements on the exact type of the vulnerabilities included within a bit pointless, since it will only cover the the exploits included in a particular version only. Web malware exploitation kits are very modular, namely, anyone can introduce new exploits, and tweak them, which is what they've been doing for a while, mostly converging third party traffic management systems with the malware kits in order to improve both, the metrics, and the evasive practices used for making a particular campaign a bit more time consuming to analyze.

Just like the innovations introduced within open source malware, and their localizations to native languages, the open source nature of web malware exploitation kit can result in countless number of variants whose new features make it sometimes difficult to assess whether or not it's a modified kit or an entirely new one - depending on the sophistication of the features of course. The introduction of new exploits within a copy of a particular malware kit should be considered as something logical, and if it's that big a deal, there are many other web malware exploitation kits whose features turn Neosploit into the "outdated choice" for malicious attackers.